Critical SonicWall SonicOS Flaw Lets Hackers Crash Firewalls

Cybersecurity firm SonicWall has issued an urgent call for customers to address a high-severity security flaw within its SonicOS SSLVPN service. This vulnerability, identified as CVE-2025-40601, could enable attackers to crash affected firewalls through a denial-of-service attack. The issue stems from a stack-based buffer overflow impacting both Gen8 and Gen7 hardware and virtual firewalls.

According to SonicWall, the flaw permits a remote unauthenticated attacker to trigger a Denial of Service condition, potentially causing the firewall to crash. The company’s Product Security Incident Response Team (PSIRT) has stated that there is currently no evidence of active exploitation in the wild. Additionally, no proof-of-concept code has been publicly released, and SonicWall has not received any reports of malicious use targeting this specific vulnerability.

It is important to note that Gen6 firewalls, along with the SMA 1000 and SMA 100 series SSL VPN products, remain unaffected by this particular security issue. Despite the absence of observed attacks, SonicWall strongly recommends that network administrators implement the guidance provided in the latest security advisory without delay.

For administrators managing affected systems, specific fixed firmware versions are available. Gen7 hardware firewalls, including models such as TZ270, TZ370, TZ470, TZ570, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, and NSsp series, should be updated to version 7.3.1-7013 or later. Gen7 virtual firewalls (NSv series) on platforms including ESX, KVM, Hyper-V, AWS, and Azure also require the same update. Gen8 firewall models, such as TZ80, TZ280, TZ380, TZ480, TZ580, TZ680, NSa 2800, NSa 3800, NSa 4800, and NSa 5800, must be upgraded to version 8.0.3-8011 or higher.

In situations where immediate patching is not feasible, administrators are advised to either disable the SonicOS SSLVPN service entirely or adjust firewall rules to restrict access exclusively to trusted sources. These temporary measures can help mitigate risk until a permanent fix is applied.

In a related development, SonicWall also addressed two additional vulnerabilities impacting its Email Security appliances. These include models ES Appliance 5000, 5050, 7000, 7050, 9000, as well as virtual deployments on VMWare and Hyper-V. The flaws, tracked as CVE-2025-40604 and CVE-2025-40605, could allow remote attackers to execute arbitrary code persistently and access restricted information. SonicWall has strongly urged users of these email security products to apply the available upgrades promptly.

This recent security advisory follows earlier incidents involving SonicWall products. Earlier this month, the company confirmed that a state-sponsored hacking group was responsible for a September breach that led to the exposure of customer firewall configuration backup files. This disclosure came roughly one month after researchers warned that threat actors had compromised more than 100 SonicWall SSLVPN accounts using stolen credentials.

Additionally, in September, SonicWall released a firmware update designed to help IT administrators remove the OVERSTEP rootkit malware, which had been deployed in attacks targeting SMA 100 series devices.

(Source: Bleeping Computer)